SEC breach response shows willingness to lead by example (op/ed)

The U.S. Securities and Exchange Commission (SEC) has made two bold moves this month in terms of data privacy. First, the government agency released a set of guidelines that, for its first time ever, asked publicly traded companies to disclose data breaches and other cyberattacks. Then, the SEC revealed that it recently suffered a data breach of its own.

Analysts are already calling it an ironic twist for the agency. At the very least, it's an untimely coincidence for the SEC. On the other hand, given the timeline of the two events, this may be the SEC's attempt to lead by example.

According to a Reuters report, the SEC distributed a letter to stock holders on October 7 – almost a week before publishing its disclosure guidance report – warning staff members that a flaw in the agency's compliance program may have exposed their personal brokerage account information.

The letter, signed by SEC chief information officer Thomas Bayer, asserted that the breach occurred when Financial Tracking Technologies (FTT), a contractor hired to handle a computer program that tracks trades, provided certain information to a subcontractor without permission.

"[I]t is the SEC's policy to provide notification of any incident that presents the potential for unauthorized access to personal information," Bayer wrote.

According to Reuters, the SEC had been investigating the situation since mid-September, and it discovered that FTT may have been sharing information with consultants and subcontractors since July 2009.

The actions of FTT's part do not appear to be malicious, and Bayer noted that there was no reason to believe the information had been misused. Nevertheless, the letter said, FTT had violated its agreement with the SEC by sharing the information without permission, and none of the third parties involved had been properly vetted by the market watchdog.

Reuters, which appears to be the news provider to break the SEC data breach story, published its report on October 14 – one day after the federal agency published a new set of cybersecurity guidelines which calls for more openness regarding data protection and requests the disclosure by public companies of cybersecurity risks and incidents.

In its formal guidance the SEC acknowledges that there is no existing standard that requires companies to disclose such incidents or risks. By putting forward these requests, the SEC could drastically change the way the private sector handles cybercrime – a change that may or may not be welcomed by the organizations it affects. But the agency stated that the time has come for such action to be put into place, as cybersecurity failures can be costly for a company, in terms of financial penalties, revenue loss and reputation damage.

It may be important to note that the SEC's guidelines are not law, and companies are in no way required to adhere to the practices put forth. But it should also be highlighted that this is the first time the SEC has formally recommended companies disclose information about data breaches, which could eventually lead to more sweeping changes on a national level.

Senator John Rockefeller was one of the voices urging the SEC to introduce such guidelines. Data security has been in Rockefeller's sights for some time now, and this would appear to be at least a small victory for the Democrat from West Virginia.

"Intellectual property worth billions of dollars has been stolen by cyber criminals, and investors have been kept completely in the dark. This guidance changes everything," Rockefeller said in a statement.

"It will allow the market to evaluate companies in part based on their ability to keep their networks secure. We want an informed market and informed consumers, and this is how we do it," he added.

For his part, Rockefeller has attempted to address data security and breaches through legislation. In June, Rockefeller and fellow Senator Mark Pryor from Arkansas introduced a bill aimed at protecting consumer information and preventing identity theft. Under the proposed legislation, businesses and nonprofits that handle personal information would be required to put certain safeguards in place to ensure that data is adequately protected.

The legislation would also establish a national data breach notification law, which would – similarly to the SEC's guidelines – require publicly traded companies to disclose cybersecurity incidents. Such a law would effectively consolidate the nearly 50 laws currently in use by the states and the District of Columbia. That could have significant consequences, as the current patchwork of laws often creates confusion, especially when data breaches involve multiple states.

This is an approach that has been supported by several lawmakers as well as the Obama administration. However, given the partisan lockdown in the U.S. Congress, progress on such measures appears to be slow-going. For now, the SEC's guidelines are as close to a set of rules as the private sector has, and it's encouraging to see that the government agency is willing to lead the way.